In what occasion will Honeycomb generate snort signatures ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In what occasion will Honeycomb generate snort signatures ?
Hi guys,
I've just finished setting up honeyd and honeycomb under debian for my 1st time. What I want to ask is what occasion that makes honeycomb generate snort signature ? or just to make it more simple , what should I do to test my honeycomb plugin ?
Hi guys,
I've just finished setting up honeyd and honeycomb under debian for my 1st time. What I want to ask is what occasion that makes honeycomb generate snort signature ? or just to make it more simple , what should I do to test my honeycomb plugin ?
Thank you very much
I've no experience with honeypots or honeynets but if you've set up a honeyPOT on one particular exposed system, it is more than likely set up as host-based. Snort is network-based. It is quite possible that Snort will not alert on a host-based attack. We see this at work all the time. Also, host-based detection is much less 'noisy' than network based.
I'd be relying more on the logs that show on the honeypot if I were looking for some type of host-based attack.
Thank you for the answer, unixfool
Apparently I've read all those links .. and I found nothing details about how do i generate snort signature from honeycomb . Does anyone else ever had experience in using honeycomb ?
Bad traffic has to happen to be logged. If you're not seeing anything, either your setup isn't working correctly, your placement of your honeypot isn't optimal or something is filtering upstream traffic of bad qualities, before it gets to the honeypot.
Based on the reading I've done (those links I provided you), Honeycomb will autogenerate Snort sigs, but that's all it will do. You will have to either totally expose the honeypot to bad traffic or use something like milw0rm to run exploits against the honeypot, which would get Honeycomb to create a sig.
How do you have things set up? Where is your honeypot set up in relation to the rest of your network? What traffic has it seen so far and is there some indication that Honeycomb isn't working?
I know you're looking for someone else to answer, but no one else has yet to chime in. One issue that I noticed is that your posts aren't clear in what assistance you need. It also isn't clear what you've currently done to troubleshoot this issue and what you expect as assistance from these forums. I'm finding it hard to help you because you've not given much info into your problem and you're also a bit dismissive. It would be easier to help you if you were more open with your issues and less demanding for answers when you haven't provided much to begin with.
I agree that the first thing to check is proper build and config, the latter should be easy to check using "--verify-config". I ran honeyd+honeycomb out of DHCP with a MAC I temporarily repurposed. Apart from the honeypot being reachable Arpwatch will throw some MAC address and ARP flip flopping warnings which serves as check as well. Throwing some minor nmap fun against it does result in sigs being logged but to what extent they're useful prolly is an eye of the beholder thing:
Code:
alert tcp 240.0.0.0/8 0 -> any 0,7946,13834,14858,32522 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; flags: FSA+; ack: 1746178570; flow: stateless; )
alert tcp 240.0.0.0/8 0 -> any 0,7946,13834,17930,32522 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; flags: FS+; ack: 1746178570; flow: stateless; )
alert tcp 240.0.0.0/8 0 -> any 0,7946,14858,40202 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; flags: FSA+; ack: 1746178570; flow: stateless; )
alert tcp 240.0.0.0/8 0 -> any 0,7946,9226,14090,14858 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; flags: FS+; ack: 1746178570; flow: stateless; )
alert tcp 240.0.0.0/8 0 -> any 0,7946,9226,14858 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; flags: FS2+; ack: 1746178570; flow: stateless; )
alert tcp 240.0.0.0/8 0 -> any 0,7946,9226,9482,12298,12554,13834,14090,14602,14858,15626,17930,23050,29194,32522,40202,40458 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; fl
ags: FSA2+; ack: 1746178570; flow: stateless; )
alert tcp 240.0.0.0/8 0 -> any 0,7946,9482,13834,14090,14858,15626,40202 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; flags: FS+; ack: 1746178570; flow: stateless; )
alert tcp 240.0.0.0/8 0 -> any 0,9226,9482 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; flags: FSA2; ack: 1746178570; flow: stateless; )
alert tcp 240.0.0.0/8 0 -> any 0,9226 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; flags: FSA2+; ack: 1746178570; flow: stateless; )
alert tcp 240.0.0.0/8 0 -> any 0,9482,12298,14858,40458 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; flags: FSA2+; ack: 1746178570; flow: stateless; )
alert tcp 240.0.0.0/8 0 -> any 0 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; flags: FS2+; ack: 1746178570; flow: stateless; )
alert tcp 240.0.0.0/8 0 -> any 0 (msg: "Honeycomb Day Month HourhMinutesmSecs Year "; ip_proto: "20"; fragbits: R; flags: FSA2+; ack: 1746178570; flow: stateless; )
I've also tried to probe my honeycomb host with nmap , and it returns with the signs similar to unSpawn's . And what I am trying to do now is to generate snort signature of rpc-dcom exploit (http://packetstormsecurity.org/0307-exploits/dcom.c).
Here's my honeyd + honeycomb configuration :
And it didn't generate any signatures. I'm still looking for the way how can I generate this rpc-dcom exploit signatures. I'm sorry for still bothering you guys..
I don't know what you want me to do? You could run the exploit against a mcrsft host and capture the packets, then run them through Snort (with the right ruleset) and see if it picks it up (should, as its a known '03 exploit), run it against your honeypot and capture, then compare packets with the mcrsft one. If there's a difference there's something wrong, if not I might run it myself and see if I can elicit a more favourable response.
I just want to know How can I generate rpcdcom exploit snort signatures by using honeycomb ?
coz' this is all i got when I run the rpcdcom exploit against the honeypot :
Quote:
# Signature report at Tue May 19 03:06:56 2009
alert tcp any 0 -> any 0 (msg: "Honeycomb Tue May 19 03h06m46 2009 "; ip_proto: "ip"; flags: F+; flow: stateless; )
alert tcp any 0 -> any 0 (msg: "Honeycomb Tue May 19 03h06m46 2009 "; ip_proto: "ip"; flags: FPA1; flow: stateless;
It's appreciated you posted your conf and log but that act itself doesn't constitute troubleshooting. When something goes wrong or doesn't work as advertised you want to start analysing. Bonus points for having an actual environment to baseline it against, else move on to the Next Best Thing (if you don't want to root your mcrsft box or had it patched). Let me know if you disagree with the packet capture approach.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.